Organised by Eskenzi PR in media partnership with the IT Security Guru, the Most Inspiring Women in Cyber Awards aim to shed light on the remarkable women in our industry. The following is a feature on one of 2022’s Top 20 women selected by an esteemed panel of judges. Presented in a Q&A format, the nominee’s answers are written in their own words with minor edits made by the editor for readability and where relevant, supplemented with additional commentary by their nominator.
In 2022, the awards were sponsored by Beazley, BT, KPMG and KnowBe4.
Carole Embling, Information Security Manager – Awareness and Behaviour Change, Metro Bank
What does your job role entail?
My current role is all about developing and delivering an Information security (cyber security) awareness programme using a wide range of methods and tactics.
How did you get into the cybersecurity industry?
I was working as an internal business systems consultant at Royal Mail during the run up to Y2k. As I was one of 2 consultants who concentrated on information and information system use within the CEO and Chairman’s office, our questions naturally strayed into “how is the information protected and how do you know …?” All quite timely really. Straight after we entered into 2000, 22 of us from widely different areas within Royal Mail were identified to be trained to become part of the inaugural Group-wide Information Security Team. From there the team was trained by the Royal Holloway, some going on to do their MSc’s with them.
What is one of the biggest challenges you have faced as a woman in the tech/cyber industry and how did you overcome it?
My biggest challenges came from working during the 1980’s and 90’s as a young working mother with no degree in a post civil service environment. (The Post Office of which Royal Mail and what is now BT were constituent parts had split away from direct civil service control but still held some very old-fashioned ideas.) There were some amazingly enlightened directors who I worked for who recognised that I had potential and they fought the battles which allowed me to progress. However, that did not prevent many less senior, mainly IT managers, from questioning my competence and abilities, especially as I had never written a line of code in my life (I still haven’t). What I had was a natural ability to understand problems and interpret them so that non IT people could understand what IT were saying and the other way round. It meant that teams could actually communicate and understand each other!
What are your top three greatest accomplishments you have achieved during your career so far?
As I start to look back at my career, I am especially proud of everything we achieved in Royal Mail between 2000 and 2008. We had one of the biggest ISO27001 certificates in Europe at the time. I ran the conversion programme from BS7799 to the ISO standard and then continued to manage the compliance programme up until I left in 2008. During that time I also ran the communications and awareness programmes. We managed to engage 250,000 people in every area of the business and country. The greatest moment of realising that I had done it was when I would get random phone calls from all over the UK with postmen, or engineers or systems operatives asking me how to deal with managers who were asking them to do things like share passwords and they knew they should not. I had made an impact and had provided the means for them to know where to come to get help and support.
Since leaving Royal Mail I have had many roles but the other that stands out was working at BMJ where as well as dealing with Info Sec (it was basically a greenfield site as far as Info Sec was concerned at the time), for them I was also handed the role of DPO and guided them through the whole GDPR programme. That was very satisfying.
What are you doing to support other women, and/or to increase diversity, in the tech/cyber industry?
To be honest I do not specifically support anybody in particular. What I do do is to encourage anyone who talks to me to look at their basic abilities (training is available to build knowledge). Talk to them about what they are interested in and encourage them to look at aspects of Info/cyber security that match. We need so many different types of perspectives and ways of approaching situations. I am a firm believer that people should be judged on their abilities or promise of abilities rather than what sex or any other ‘differentiator’ they or others may consider they fall into.
What is one piece of advice you would give to girls/women looking to enter the cybersecurity industry?
Remember you are a person seeking to do a job in an interesting area. You don’t need to be technical as the world of Information/Cyber Security crosses every business area you can think of and we as Information Security professionals need to be able to interact with them and that takes a wide range of personalities and skills to do it successfully.